In early October 2023, a DNA testing company for ancestry discovery purposes, 23andMe, disclosed that it suffered a data breach.
On the 5th of December 2023, the company shared that the data breach was more damaging than was initially reported.
At first, they claimed that the data of 14,000 users was compromised. On Tuesday, the company revealed that hackers had stolen the data of 6.9 million users.
For reference, 14 million users use their services. Bad actors obtained sensitive data from almost half the users.
Stolen information includes ancestry, family trees, names, user locations, years of birth, and relationship labels. And this data is already being sold on the dark web.
How can big companies keep their user’s data safe and avoid potential data breaches?
Cloud Data Security Posture Management (DSPM), for example, is a security solution designed to prevent data breaches for companies that handle a large amount of sensitive information.
Data Security Posture Management is a cloud-based cybersecurity solution designed to discover, classify, and manage access to important data.
Also, it detects vulnerabilities and threats that could lead to exploitation or escalate into hacking incidents such as data breaches.
For companies, DSPM:
As a result, it keeps an eye on and manages the security and privacy of data across the complete IT architecture of a company.
The first step of the DSPM data protection process is to find out which data is stored within the system. It continually learns which data the company has to monitor and who is accessing this data later.
Once it knows which data is there, it classifies it based on the type — to pinpoint sensitive data.
As a result, security teams have complete visibility of which data is within the system and who has access to it. They get a clear image of what needs to be protected from hackers looking to steal data.
The process of mapping and discovery is ongoing and continual.
This is essential for large businesses that enrich their databases with new data, change it, and move from one part of the infrastructure to the next every day. 23andMe fits that profile.
In October, 23andMe disclosed that the hacking was possible because users reused weak passwords. Threat actors relied on brute force attacks (specifically credential stuffing) since they had user passwords from other breaches.
Once they guessed the correct login, the hacker would access not only that user’s information but also the data of all its relatives with whom the user matched on the site.
How do you uncover the hacking activity once the bad actor is in?
Access management is one of the core capabilities of DSPM. It enforces stricter controls and makes sure that the user who is logging in is genuine.
It enforces the best access practices — from making sure that the users use 2-factor authentication to using machine learning to finding anomalies within the infrastructure of a business.
For instance, it can enforce the zero trust model that assumes every person attempting to log in could be a cyber criminal — even if they have the right credentials.
23andMe did have 2-factor authentication, but it made this step obligatory for all users only after the breach.
A class action lawsuit has already been filed because the hacker shared the data on hacking forums in October.
Although not all users are concerned about data privacy, thousands of users already contacted the Canadian law firm that prepared the case and asked to join the fight.
The firm claims that 23andMe didn’t adhere to proper data privacy practices and, with it, put the sensitive data of Canadian citizens at risk.
How could DSPM help?
DSPM aids big enterprises that store large volumes of data to enforce regulatory compliance across the entire infrastructure. They make sure it follows the best cybersecurity and privacy practices.
The types of compliance or the best cybersecurity practices a business needs to meet will depend on the industry. In the case of 23andMe, we’re talking about a company that holds a lot of sensitive data.
The company’s official site states that they follow the GDPR — data privacy for EU users. It’s not yet clear if they followed the prescribed practices of other relevant regulatory laws.
After a data breach occurs, the most a company can do is try to reduce the reputational and financial damage. The data is already out in the world — in most cases, available on hacking forums.
So how can you mitigate damage when cybercriminals have already compromised a company?
Rebuild the trust by offering free identity protection services if the sensitive data has been leaked.
Trust is difficult to rebuild, especially for companies such as 23nadMe that claim, “At 23andMe, Privacy is in our DNA.” Big promises have to be backed up with good security practices.
How a company handles a data breach is also important. 23andMe took some time until they began notifying affected users.
Data security is different for smaller companies vs those that have complex infrastructure, millions of users, and databases filled to the brim with personally identifiable information.
The truth is — both cybersecurity and data privacy are more complex and challenging at scale.
Therefore, larger enterprises that handle sensitive information require more robust security and tools that can continually monitor the entire architecture, such as DSPM.
A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing millions…
Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…
An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the initial…
A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store, which…
The Lazarus Group has recently employed a sophisticated attack, dubbed "Operation DreamJob," to target employees…
NodeStealer, initially a JavaScript-based malware, has evolved into a more sophisticated Python-based threat that targets…